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Timed-arc Petri nets (TAPN) are a well-known time extension of the Petri net model and several 
translations to networks of timed automata have been proposed for this model. We present a direct, 
DBM-based algorithm for forward reachability analysis of bounded TAPNs extended with transport 
arcs, inhibitor arcs and age invariants. We also give a complete proof of its correctness, including 
reduction techniques based on symmetries and extrapolation. Finally, we augment the algorithm 
with a novel state-space reduction technique introducing a monotonic ordering on markings and 
prove its soundness even in the presence of monotonicity-breaking features like age invariants and 
inhibitor arcs. We implement the algorithm within the model-checker TAPAAL and the experimental 
results document an encouraging performance compared to verification approaches that translate 
TAPN models to UPPAAL timed automata. 



1 Introduction 

Time-dependent models and their formal analysis have attracted a considerable research activity. No- 
table formalisms include timed automata (TA) 0, time Petri nets (TPN) |[T8l and timed-arc Petri nets 
(TAPN) Q. A comparison of the different modelling formalisms is provided in Il23l . 

We shall focus on the TAPN model where tokens are assigned a nonnegative real number represent- 
ing their age and input arcs of transitions contain time intervals restricting the usable ages of tokens for 
transition firing. The state-space of the model is in general infinite in two dimensions: the number of 
tokens in a marking can be unbounded, and the continuous time aspect induces infinitely many clock val- 
uations. Indeed, the reachability problem for the model is undecidable [21J, while coverability remains 
decidable [2]. Moreover, for modelling purposes additional features like inhibitor/transport arcs and age 
invariants are needed but they cause the undecidability also of the coverability problem [14]. 

We restrict our focus to bounded TAPNs where the maximum number of tokens in all reachable 
markings is fixed. This model is equally expressive to networks of timed automata Il22ll and efficient 
translations from TAPN into UPPAAL timed automata lfl6l have been implemented and employed in 
the model-checker TAPAAL [9]. The translation approach has though some drawbacks: experimenta- 
tion with state-space reduction techniques is difficult and the engine does not return error traces when 
symmetry reduction is enabled. 

We therefore design a novel reachability algorithm for extended TAPN that incorporates an efficient 
extrapolation, symmetry reduction and monotonic inclusion techniques to optimize its performance, 
while at the same time returning error traces with concrete time delays. We give a complete proof 
of the algorithm correctness, including all the optimization techniques. We provide an efficient (C++), 
open-source implementation of the algorithm and integrate the new engine into the tool TAPAAL. The 
experiments confirm a high efficiency of the new reachability algorithm and we document this by two 
larger case-studies. 
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Related work. Verification techniques for TAPNs include a backward coverability algorithm based on 
existential zones (notably terminating also for unbounded nets) and a forward reachability algorithm 
based on region generators presented in 0]]. Both algorithms rely on the monotonic behavior of the 
generated transition systems, however, inhibitor arcs and age invariants break this monotonicity lfl4l and 
hence the techniques are not applicable for extended TAPNs. Backward algorithms are generally rather 
inefficient for on-the-fly state-space exploration and for the employment of state-space reductions while 
the forward algorithm from [1] is based on a less efficient region construction instead of a zone-based 
one. The algorithms were implemented in prototype tools with no GUI and are not maintained any more. 

There are efficient tools like TINA [6] or Romeo lfl2l for model-checking Time Petri nets (TPN). 
The tools are based on abstractions using state-class graphs but even though bounded TPN are essentially 
equally expressive as bounded TAPNs (see l23l for an overview), the translations are exponential and 
do not allow to perform a direct performance comparison because the modelling capabilities and the 
treatment of time in TPN and TAPN are very different. 

The definition of our extrapolation (abstraction) operator is following |4] where a similar operator 
was suggested for timed automata; our extension (apart from its adaptation to the TAPN setting) is 
the handling of dynamic maximum constants depending on the current marking (see also ifTBl for a 
dynamic extrapolation on timed automata). The main novelty is our definition of an inclusion operator 
that incorporates symmetry reduction and works also for nets with monotonicity-breaking features. 



2 Timed- Arc Petri Nets 



Let N be the set of natural numbers and let No = N U {0}. By IR>o we denote the set of non-negative 
real numbers. The set of time intervals J 1 is given by the abstract syntax (a £ No,i £ N and a < b): 
I::=[a,a] \ [a,b] \ [a,b) \ (a,b] \ (a,b) | [a,°°) | (a, oo). The set of invariant intervals, ^i nv , consists of 
intervals that include 0. 

Let & = {0,1,2, . . . ,n} be a finite set of real- valued clocks whose elements (numbers) represent 
names of clocks. The clock is a special pseudoclock that has always the value 0. A (clock) valuation 
over ^ is a function v : ^ — >• M>o such that v(0) = 0. The set of all valuations over the clocks ^ is 
denoted by 10 . Let v be a valuation and d a nonnegative real. We let v + d be the valuation such that 
(v + d) (i) = v (/) + d for every i$L c €\ {0} and (v + d) (0) = 0. Further, for a subset of clocks R C ^ , we 
let v R=0 be the valuation such that v R=0 (/) = if i G R and v R=0 (i) = v(i) otherwise. 

Let W C be a set of valuations and let R C ff. We define 
the delay operation as = {v + d \ v G W and d G M>o} and the 
reset operation as W R = {v R=0 | v G W}. 

A timed labeled transition system (TLTS) is a tuple 
(S,Lab, — >) where S is a set of states (or processes), Lab = 
Ac?UM>o is a set of labels, consisting of discrete actions and time 
delays, and — > C (S x Lab x S) is the transition relation. We of- 
ten write s s' instead of (s, a,s') G — > and if the label is not 
important, we simply write s — > s'. 

We shall now define the Timed-Arc Petri Net (TAPN) model, 
restricting ourselves to ^-bounded nets (where every reachable 
marking has at most k tokens). An example of a 4-bounded TAPN 
is given in Figure[T] It consists of six places (circles), one transition (rectangle) and two tokens of age 2. 1 
and 3.4 representing the current marking. Input arcs to the transition t contain time intervals and because 




Figure 1 : A TAPN with Pairing (t) = 
{(P\,P4), (j>2,P3),(-L,P5), (-L,Pe)} 
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both tokens belong to the corresponding interval, the transition can fire, consume the two tokens in p\ 
and p2, and produce a new token of age to each of the places p^, ps and p^. Because the place p\ is 
connected to p4 via a pair of transport arcs (denoted by a diamond tip), the token of age 2.1 is moved to 
P4 while its age is preserved. Should there be more pairs of transport arcs connected to the transition t, 
we label them with numbers so that the routes on which tokens travel are clearly marked. Finally, note 
that the place p4 has an associated age invariant, restricting the possible ages of tokens in the place to 
strictly less than 3. Should we in the current marking first delay 0.9 time units, both tokens in p\ and p2 
would still fit into their intervals but the transition t is not enabled any more due to the age invariant in 
the place P4. 

Definition A TAPN is a 7-tuple (P, T,IA, OA,c, Type,l) where 

• P is a finite set of places, 

• T is a finite set of transitions such that PDT = 0, 

• IA C P x T is a finite set of input arcs, 

• OA C T x P is a finite set of output arcs, 

• c : ZA — > y assigns intervals to input arcs, 

• Type : IAUOA — > {Normal, Inhib} U {Transport 1 i G N} is a function assigning a type to all arcs 
such that 

- Type(a) = Inhib a G IA Ac (a) = [0,°o), 

- Type(p,t) = Transport^ =>■ 3\(t,p') G OA . Type(t,p') = Transport^ and 

- Type{t,p') = Transport^ =>- 3\(p,t) G IA.Type(p,t) = Transport^, and 

• I : P — > J^i nv assigns age invariants to places. 

For notational convenience, we write Type{a) = Transport if Type(a) = Transport^ for some t. For a 
transition t G T, we define the preset of t as 't = {p € P \ (p,t) G IA, Type(p,t) / Inhib} and the postset 
of t as f* = {/? G P | G OA}. 

We denote by Pj_ the set P U {_L} where _L is a special symbol representing a pseudo-place that holds 
the currently unused tokens. The augmented preset and augmented postset of a transition t are defined 
as the multisets 

°t = {p u ...,p m | {pi,...,pe} = 't,Pi = -L if I < i < m} 
t° = {pi,...,p m | {pi,...,pe} =t',Pi = -L if £ < i < m} 

where m = max(\*t\, \t*\). This guarantees that \°t\ = \t°\ for any transition t, a convenient technical 
detail used in the algorithms. We also extend the definition of c and i such that c(_L,f) = [0,°°) whenever 
_LG°?andi(_L) = [0,°°). 

A token in a ^-bounded TAPN is an element from the set {1,2, ... ,k}. A marking is a pair M = (pl,v) 
where pi : {1,2, ... ,k} — > P± is the placement function and v : {1,2, ... ,k} — > R>o is the age function. 
The placement determines the current location of each token (it returns _L if the token is unused) and the 
age function represents the age of each token. The placement function will be sometimes written as a 
vector where e.g. \pi,P2,pi] represents the fact that tokens 1 and 3 are located in the place p\ and token 
2 is located in pi. The set of all markings on a ^-bounded TAPN N is denoted by J%(N). A marked 
^-bounded TAPN is a pair (N, (pIq,vo)) where ./V is a ^-bounded TAPN and (pl ,vo) is the initial marking 
where vq(/) = for all i, 1 < i < k. 
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Since there are always k tokens in any marking (unused ones are in _L), it is for algorithmic purposes 
convenient to fix for each transition the paths from input to output places. This is formalized in the 
function Pairing : T — > 2 p±xP± such that for every transition t we have 

Pairingit) = {(pi,p\),...,(pi,p' e ) \ {p u ...,pe} = °t,{p\,...,p' £ } =t° and 
Type(pi,t) = Type(t,p'j) = Transport £ =3- i = j} . 

An example of a possible pairing function is given in Figure [T] 

The effect of moving tokens in a placement pi by firing a transition t with the pairing Pairing (f) = 
{(p\,p[), (p2,p' 2 ),- ■ • ) iPhP'e)} is defined in the expected way as follows. Let IN = {11,12, ■■■,ie} ^ 
{1,2, ...,k} be a set of tokens placed in the places p\ to pi and used for firing t. Formally, pl(ij) = pj 
for all 1 < j < £. The move function move(pl,IN,t) : {1, 2, . . . ,k} — > P± is now given by 



move(pl,IN,t)(i) 



\plii) if i £ IN 
I p'j if i G IN such that i = ij . 

Consider Figure [l] and let/?/ = [/?i,/?2,-L,_L]. Then move(pl, {1,2, 3,4}, t) = [p4,P3,Ps,P6] ■ 

Transition Enabledness A transition t £ T is enabled by a set of tokens IN C {1 , 2, . . . , k} in a marking 
(p/,v)if 

(i) ° t = {pl(() | i G IN} 

(ii) v(i) G c(pl(i),t) for all / G 72V 

(iii) Type(pl(i),t) = Transport implies v(i) G l(move(pl,IN,t)(i)) for all i G flV 

(iv) (pl(i),t) G /A implies Type(pl(i),t) / for all j G {l,2,...,k}\IN. 

A transition £ is hence enabled if there is a token in each of its input places (i), the ages of these tokens 
fit into the intervals on the input arcs ( ii), the age of the token that is moved along a pair of transport arcs 
does not break the age invariant of the place where is it moved to (iii), and there is no token in any place 
connected via inhibitor arc to the transition t (iv). 

Transition Firing A transition t enabled in a marking (pi, v) by the set of tokens IN can fire, producing 
a marking (move{pl,lN ,t),v R=Q ) where R = {i G IN | Type(pl(i),t) / Transport}. 

Time Delay A time delay of d G M>o time units is possible in a marking (pl,v) if v(i) +d G l(pl(i)) for 
all i G {1,2, ...,&}. By delaying d time units, we reach the marking (pl,v + d). 

The concrete execution semantics of aTAPNA^ = (P,T ,IA,OA,c,Type,l) is given by aTLTS T(N) = 
{N),T U M>o, — >) where states are markings on Af and labels are transition names and time delays. 
The transition relation — > is defined so that M — > M' if by firing t in the marking M we reach the 
marking M', and M — > M' if by delaying d time units in the marking M we reach the marking M'. 



3 Symbolic Semantics 

The concrete execution semantics is not suitable for the actual verification as there are infinitely (in fact 
uncountably) many reachable markings. Therefore we give a symbolic semantics of ^-bounded TAPNs 
with respect to some given abstraction operator and show that the symbolic semantics preserves the 
answer to the reachability question. 
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A symbolic marking of a ^-bounded TAPN is a pair (pi, W) where pi : {1, 2, . . . ,k} — > P± is a place- 
ment function and W C is a set of valuations. 

In order to guarantee the finiteness of the state-space in the abstract semantics, we consider abstrac- 
tion operators that can enlarge (extrapolate) the possible sets of valuations in symbolic markings. Instead 
of considering global abstraction operators like for example in the timed automata theory (see e.g. HI), 
our abstraction operators depend also on the current placement. 

Definition An abstraction operator is a function a : [{1 , 2, . . . , k} — > P±] x 2^ — > 2^ such that W C 
Gt(pl,W) for all symbolic markings (pl,W). 

An example of an abstraction operator is the identity abstraction operator a,y where (pi, W) = W 
for all symbolic markings (pl,W). 

Our aim is of course to find an operator that for a given net abstracts as much as possible. To do 
so, we use the function mci : .J? — > No that returns, for an interval /, the maximum constant different 
from oo appearing in I. Let gc be the maximum constant different from oo that appears in intervals or 
invariants of the given TAPN. The function mc : P± — >■ No now returns, for each place p, the maximum 
constant appealing in the guards of outgoing arcs from p or in the invariant of p; if there are transport 
arcs connected to p, the constant is gc. 



mc(p) 



' gc if there exists (p,t) 6 IA s.t. Type(p,t) = Transport 



max \mci(l(p)), max (mci(c(p ,t))) ] otherwise. 

( P ,t)elA 



Following [4], we proceed to define an equivalence on valuations. The addition in our paper is that 
we take the placement function into account, thereby allowing for dynamic maximum constants. Let pi 
be a placement function and let v and V be valuations. We write v = p i V if for all i£ e if\ {0} 

1. v(i) = v'(i), or 

2. v(i) > mc{pl(i)) and v'(z') > mc[pl(i)). 

Hence two related valuations are indistinguishable from each other in the sense that they can be used 
to fire the same transitions. Now we can define an abstraction operator based on the relation above. 

Definition Let a= (pl,W) = {v' \ V = p \ v and v G W} for a set of valuations W C #^ and a placement 
function pi. 

Clearly, 1VC a=(pl,W) for any set of valuations W C and any placement function pi as the 
relation is reflexive. For two abstraction operators a and a' we write a C a' if a(pl,W) C a' (pl,W) for 
all placement functions pi and all W C i0 . 

We are now ready to give the symbolic semantics of TAPNs. Let g be a function that takes a place- 
ment function pi, a set of tokens IN and a transition t as its arguments (assuming that °t = {pl(i) \ i € IN}) 
and it returns the set of all valuations such that the tokens in IN satisfy all guards on the input arcs of t. 
Formally, g(pl,IN,t) = Hfe/wi^ £ I v 0) £ c(pl(i),t)}. Similarly, we define a function / that takes 
a placement function as its argument and returns the set of all valuations satisfying the age invariants. 
Formally, I(pl) = n^ A {0}{ v E #^ | v(i) £ l(pZ(0)}- 

Symbolic Semantics Let (N, (plo,vo)) be a marked ^-bounded TAPN and let a be an abstraction oper- 
ator. The symbolic semantics of (N, (pIq,vq)) is given by a TLTS T(N) = (S,L, ^ a ) where 

. S=[{l,2,...,£}^Pjx(2 # "\0), 
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• L = TU{e}, and 

• (pi, W) ~~>« (pi', a (pl',W')) if t is a transition and there is a set of tokens IN such that 

- °t = {pl({) | j e IN} 

- pi' = move(pl,IN,t) 

- W' = (Wng(pl,IN,t)) R = nl(pl') is consistent (W / 0) where R = {ieIN\ Type(pl(i),t) / 
Transport} 

- (pl(i),t) G IA implies Type(pl(i),t) / Inhib for all i G {1,. . . \IN 
. (/>/, WO a (/>/,W^n /(/>/))). 

The initial symbolic marking is (pl Q , {vo}) where vq(£) = for all i G 

Let us define 

* — — ^t£T " — ^Ne can now state the main theorem of this section, which establishes 
soundness and completeness of the symbolic semantics for any abstraction operator between ay and a=. 

In fact, we allow to dynamically change the abstraction operators during a computation in the symbolic 

def 

semantics. Hence we consider a new transition relation ~^a id ,a= = Ua w caca = allowing us to apply 
in any step an arbitrary abstraction operator between the identity and a=. 

Theorem 3.1 Let (N, (pl<),vo)) be a marked k-bounded TAPN. Then 

• (Soundness) (plo,{vo}) ^*a id ,a= ip^^) implies that there exists a valuation v S W such that 
(pl ,v ) — >* (pl,v), and 

• (Completeness) (pl ,vo) — >* (pl,v) implies, for any abstraction operator a where OCid CaC ot=, 

£ T £ 

that (pl ,{vo}) ^ a (~»cea ° ^a)* (pi ,W) for some W where v G W. 

Note that the completeness part of the theorem imposes that the symbolic semantics can reach the 
given placement via a strictly alternating sequence of time elapsing and transition firing steps where the 
transition firing steps are not extrapolated (using the identity abstraction operator); this reflects how the 
successors are computed in the reachability algorithm discussed in Section|6] 

4 Extrapolation via DBMs 

For the use in our reachability algorithm, we need to represent infinite sets of valuations W in a finite 
way. However, it is not known how to effectively deal directly with the a= abstraction operator. Instead, 
we suggest a slightly less general abstraction (extrapolation) operator and a way to finitely represent 
infinite sets of valuations in order to guarantee a finite and effectively searchable state-space of symbolic 
markings. 

For this purpose we use Difference Bound Matrices (DBM), a well-known technique for verifica- 
tion of real-time systems (see e.g. {51 [lOl) that allows us to store constraints on single clocks and on 
differences of two clocks in a compact matrix-based data structure. 

Difference Bound Matrix (DBM) A Difference Bound Matrix D over the set of clocks ^ is a |^| x |^| 
matrix such that 

D U G (Zx {<,<}) U{(oo,<)} 
where i, j G and for all i G if we have 

1. if D 0; = (m, <) then m < 0, and < G {<,<}, 
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2. if D i0 = (m, <) then m > 0, and < G {<,<}, and 

3. D fi =(0,<). 

A solution to a DBM D is a valuation v such that for all /, j G ^ we have v(z') — v( j) < m where D; ; = 
(m, <). The set of all solutions to a DBM D (alternatively, the zone over D) is denoted by [D]. 

We refer to the elements D, 7 as bounds. A bound Do,- = (m, <d) where m < (by Condition [I]) is 
called the Zower bound for the clock i. Such a constraint means v(0) — v(i) < m for any valuation v G [D], 
which is equivalent to — m < v(i). Similarly, a bound D,o = (m, <) where m > (by Condition^ is called 
the upper bound for the clock / and it means that v(i) — v(0) <3 m which is the same as v(i) <3 m. Finally, 
a bound D, ; where i / ^ j is called a diagonal constraint. 

For notational convenience, we introduce an alternative notation lb and m& for the lower and upper 
bound of a clock i. Formally, Iboi}) = (—m, <d) if Do; = (m, <) and ub£>{i) = D,o. We further define a 
notation for the individual elements in a bound such that Ib^i) = m and lb^(i) = <l if lbo(i) = («?, <). 
We use the same notation wft^, and wft^ also for upper bounds. 

A DBM D is consistent if [D] / 0. We say that D is in canonical form if D (; - ^ D^ + D% ,• for all 
i, j, it G ^. It is well known that for every consistent DBM D there is a unique canonical DBM D c such 
that [D] = [D c ] ifTOl . 

We now define a variant of one of the abstraction (extrapolation) operators on DBMs in order to 
abstract sets of valuations represented by a DBM. The definition is inspired by [4], the main difference 
being the use of dynamic maximum constants in our operator. 

Extrapolation The extrapolation of a canonical DBM D in a placement pi is the DBM D', called 
extpi (D), and defined as follows (here i,j G ^ \ {0} such that i / j): 

1. D' :=D 

2. if mc{pl{i)) < lbp(i) then lbjy{i) := (mc(pl(i)),<) and ubjy{() := (°°, <) 

3. if ubj)(i) > mc(pl{i)) then ubjy{i) := (°°, <) 

4. if mc(pl(i)) < lbl(i) or mc(pl{j)) < lb n D {j) thenD^. := (°o,<) 

5. if Dij = (m, <) and m > mc{pl(i)) then D- 7 - := («>, <) 

Intuitively, the extrapolation works by removing all upper bounds greater than the maximum constant 
of a given place and by replacing any lower bound greater than the maximum constant with the value 
(mc(pl(i)),<). Additionally, whenever the lower bound is above the maximum constant of a given 
place, any diagonal constraint involving that clock are also removed. An example of a DBM D and its 
extrapolation ext p i (D) together with their graphical representations (clock 1 is on the x-axis and clock 2 
on the y-axis) is given in Figure[2] We can see that the extrapolation operator enlarges the set of valuations 
represented by D such that there are only finitely many extrapolated DBMs. 

Lemma 4.1 The set {ext p [ (D) \D is a canonical DBM} is finite. 

We can now conclude with the main result stating that the extrapolation provides an abstraction 
which is between identity and a= ; a crucial and nontrivial fact needed for proving correctness of the 
reachability algorithm. 

Theorem 4.2 Let D be a canonical DBM and let pi be a placement function. Then [D] C [ext p i (D)] C 
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(o,<) 


(-!,<) 


(-3,<) 


(o,<) 


(-!,<) 


(-2,<) 
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(«,<) 


(0,<) 


(«,<) 


(6,<) 


(3,<) 


(0,<) 


(~,<) 


(oo,<) 


(0,<) 



(a) Canonical DBM D 



(b) The DBM ext pl (D) 




mc(pl{2)) 




mc{pl{\)) 

(c) The zone [D] (d) The zone [ext p [ (D)] 

Figure 2: Example of the extrapolation operator for mc(pl{\)) = l,mc(pl(2)) = 2 



5 Monotonicity of Bounded TAPNs 

It is a well-known fact that the behaviour of the basic TAPN model is monotonic [11] with respect to the 
standard marking inclusion, intuitively meaning that adding more tokens to the net does not restrict its 
behaviour. However, the use of age invariants and inhibitor arcs breaks the monotonicity property |[T4l . 
In this section, we introduce a more refined inclusion relation on symbolic markings that preserves 
monotonicity even in the presence of age invariants and inhibitor arcs. Moreover, the inclusion relation 
allows for reordering of tokens in the net and hence it implements the symmetry reduction. The inclusion 
relation is then exploited in the reachability algorithm presented in Section [6] 

Let us fix a marked /^-bounded TAPN (N, (pl 0l vo)). For a place p E P, we define a boolean predicate 
untimed(p) = (l(p) = [0,°°)) A \/t G p' . (Type(p,t) / Transport Ac (p,t) = [0,°°)). If the predicate is 
true, we do not need to keep track of the ages of tokens in this place. For a symbolic marking M we now 
define the set INCm representing the set of tokens eligible for the inclusion checking. 

Definition Let M = (pi , W) be a symbolic marking. We define INCm C { 1 , 2, ...,£} as the largest subset 
of tokens such that for any token i G INCm, 

1. p/(0^-L. 

2. l(p/(i)) = [0,oo), 

3. pl(i) has no outgoing inhibitor arcs, and 

4. either untimed (pl(i)) or 

• M(Vi) EVi=> mc(pl(i)) < inf(Vj). or 

• mf(Vi) <£Vi^> mc(pl(i)) < inf(V/), 
where V t = {v(i) \ v € W}. 

Let us briefly comment on Condition [4} If a place is untimed then the ages of tokens in that place are 
irrelevant and we can consider them for inclusion checking. Otherwise, the lower bound of clock i in 
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Wis calculated by inf(V;) and the two subconditions distinguish whether this bound is included or noj^J 
The point is that if the lower-bound for the token i is above the maximum constant for the place where i 
is placed, then its concrete age is irrelevant for the firing of transitions. 

Let Pj nc C P be a set of places that we want to consider for the inclusion checking (typically we set 
Pine = P but the user can restrict some places from the application of the inclusion operator by excluding 
them from Pi nc ). We can now partition all tokens in the marking M = (pl,W) into three categories 

• inc{M) = INC M n {i | pl(i) G Pine} 

• bot{M) = {i | pl(i) = _L} 

• eq{M) = {l,2,...,k}\(bot(M)Uinc(M)) 

where inc{M) contains all tokens eligible for inclusion checking, bot(M) contains all unused tokens and 
eq(M) is the set of all tokens that have to be checked for equality. Let us now introduce some notation. 
Let pi be a placement function, p a place and let X C { 1 , 2, . . . , k} be a set of tokens. We define count^ (p) 
= \{ieX\ pl(i) = p}\. Intuitively, count^(p) tells us how many tokens from X are in the place p. We 
are now ready to introduce the refined ordering relation. 

Inclusion Ordering Let M = (p/,W) and M' = [pi 1 ,W) be symbolic markings. We say that M is in- 
cluded in M', written M C M' , if 

1. There exists a bijection h : eq{M) — > eq(M') such that 

(a) pl(i) = pl'{h(i)) for all i £ eq(M), 

(b) for all v S W there exists ai/£ff' such that for all i £ eq(M) 

(i) v(/)=v' (/*(/)), or 

(ii) v(z) > mc(pl(i)) and v'(h(i)) > mc(pl' (h(i))), 



Hence two symbolic markings M and M' are related by C, if they agree on the sets eq{M) and 
eq(M') via the bijection h (this gives us the possibility to employ symmetry reduction), and moreover, 
the number of tokens in any place p from the set inc(M') in the marking M' must be larger than or equal 
to the number of tokens in the place p in the marking M. We finish this section by a theorem proving 
monotonicity with respect to the ordering relation C for any abstraction operator below ct=. 

Theorem 5.1 Let a be an abstraction operator such that C a C a= andM\,M2 £ ^ a (N, (p/ > { v o})) 
be reachable symbolic markings such that My C M^. If M\ ~^> a M\ then M2 M' 2 for some M' 2 such 
that M[ C M' 2 . 

6 Implementation of the Reachability Algorithm 

Before we present the reachability algorithm, let us first introduce a reachability fragment of CTL that is 
used in the algorithm. A formula of the logic is given by the abstract syntax: 



2. count' 



inc(M) 
Pi 



(p) < count m t^ M \p) for all p G P. 



::= EFi/f | AG \j/ 

y, Yi , Y2 ■■= (p IX n) \ Yi A y 2 | yi V Y2 



(1) 



where p G P, n G N and txi £{<,<,=,/,>,>}. 



In the DBM representation we can read these bounds directly from the matrix. 
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The semantics of formulae is given in terms of a TLTS (S,Lab, — >) and a labeling function 11 : S — > 
2 assigning sets of true atomic propositions to states. We define the set of atomic propositions AP 

def def 

and the labeling function \i as AP = {(p to n) \ p G P,n G No and cog{<,<,=,^,>,>}} and >l(M) = 
{(pfxin) | countj^' 2 ' "" k \p) txn and to G{<, <, =, 7^, >, >}}■ The intuition is that a proposition (/?to«) 
is true in a marking M if the number of tokens in the place p satisfies the proposition with respect to n. 
Since atomic propositions only depend on the discrete part of a marking, we adopt the same definition 
of 11 for symbolic markings. For a state s G S and a formula <p , we define the satisfaction relation s \= <p 
inductively as follows: 

s \= (p to n) iff (p to n) G \X (s) 
s\=-<y iff s^=y 
s |= A y/2 iff 5 |= yi and 5 |= y 2 
5 |= y/i V 1//2 iff s |= V^i or s \= V2 
s \= EF y iff J — ►* / and |= y 
5 |= AG i/A iffs^EF^Y ■ 



As the AG and EF temporal operators are dual, it is enough to design an algorithm for deciding the 
validity of EFy/\ Note that because the predicates do not allow us to query the ages of tokens in the 
net, the presence of age invariants in the TAPN model adds an expressive power (otherwise we could 
conjunct the age invariants with the intervals on input arcs and add to the formulae the requirement that 
no place contains any token exceeding the invariant bound). 

We say that a place p in a boolean predicate y defined according to Equation ([T]) is monotonicity- 
breaking if \j/ contains an atomic proposition of the form p < n, p < n, p = n or p ^ n. In other words, 
the inequality imposes some upper bound or an exact comparison to a concrete number in the place p. 

Lemma 6.1 Let M and M' be symbolic markings and let y be a boolean predicate defined by Equa- 
tion ([!]) and let the set Pj nc of inclusion places do not contain any monotonicity -breaking place. IfM |= y 
and M CM' then M' |= y. 

Proof By structural induction on y. The induction step is trivial; we discuss here only the base case 
for a proposition of the formi y = p to n. Let (p/ l5 Wi) and (pl 2 ,W2) be symbolic markings such that 
(ph,W x )Q(j>l 2 ,W 2 ).lj*(pl l: WY)\=y. 

If p is a monotonicity-breaking place than p Pi nc and all tokens in the place p belong to the set 
eq{(ipl x ^N{)). By Condition [I] of the inclusion ordering there exists a bijection h such that for all i G 
eq((pl { ,W\)) we have pl\{i) = pl 2 (h(i)) and hence in the marking (pl 2 ,W2) the number of tokens in the 
place p is equal to the number of tokens in the place p in the marking {pl { , W\ ) and we get (pl 2 , W2) |= y- 

If p is not a monotonicity-breaking place, the constraint on p has the form p > n or p > n. If the 
tokens in the place p belong to eq{{ply,W\)) we are done by the arguments as above. If the tokens in 
the place p belong to inc^{pl x , W\)) then by Condition [2] of the inclusion ordering the number of tokens 
placed in p in the marking (pl 2 , W 2 ) is at least the number of tokens in the marking [pl x , W\ ) and because 
the proposition on p states only a lower-bound, we can again conclude that (pl 2 ,W2) |= y. | 

In order to present an efficient reachability algorithm, we need a finite representation for the poten- 
tially infinite sets of valuations discussed in Section [5] We will thus use DBMs. However, we have to 
implement the operations used on the sets of valuations, such as delay, clock reset and intersection, on 
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DBMs. Similarly, we need to define a DBM which represents a guard or invariant of the form i £ [a,b] 
where i is a clock and [a, b] is a well- formed interval — here [ is either closed or open left parenthesis 
and similarly for ] . 

Proposition 6.2 Let D\ and D 2 be canonical DBMs over the clocks c €. Then the following operations 
and DBMs can be computed efficiently 

1. (Delay) d\ is a canonical DBM s.t. [d\] = [£>i]t 

2. (Reset) Df =0 where R C ^ is a canonical DBM s.t. [Df =0 ] = [Di] R=0 . 

3. (Intersection) D\ P1D2 is a canonical DBM s.t. [D[ C\D 2 ] = [Di] Pi [D 2 \. 

4. (Interval DBM) D ie r a w is a canonical DBM s.t. [D i€ r a ^] = {v £ i0' | v(i) € [a,b]}. 

5. ( Discrete Inclusion ) Let pl x and pl 2 be placement functions. The expression (pl { , [D\ ] ) C (pl 2 , [D2] ) 
can be computed efficiently. 

All these operations can be efficiently implemented for DBMs (see e.g. ||5]|20]]) for details on operations 
1-4; the fifth operator can be implemented using DBMs, as showed in the full version of the paper. 

We can now perform a standard search through the state-space of symbolic markings using the 
passed/waiting list approach. We start by adding the initial marking to the waiting list. As long as 
the waiting list is nonempty, a symbolic marking M is removed from the waiting list, added to the passed 
list, and all symbolic extrapolated successors of M are explored. If a successor M' of M is below (w.r.t. 
the ordering C ) some marking on the passed or waiting list, we ignore it. Otherwise we add M' to the 
waiting list and remove from the waiting and passed lists all markings that are below M'. We stop with 
a positive answer once we find a marking satisfying a property we are searching for. If the whole state- 
space is searched without finding such a marking, we return a negative answer. The search is performed 
only upto k tokens in the net where this number is supplied by the user (it is undecidable whether there is 
some k such that the net is ^-bounded lfT4lO . If the net is ^-bounded for the given k (this can be automat- 
ically verified) then this gives a conclusive answer, otherwise the search can give a conclusive answer 
only if it finds a marking satisfying the given property. 

The successor generation algorithm is presented in Algorithm [T] and the reachability algorithm is 
given in Algorithm[2] Observe, as remarked above, that the algorithm will discard any generated succes- 
sor marking if a larger marking is already present in the PASSED or WAITING list (line[TT]). Similarly, 
if a generated successor marking is larger than some marking in the PASSED or WAITING list, then it 



will remove all such smaller markings from the PASSED and WAITING list (lines 12 to 13 1. 
Lemma 6.3 Algorithm^terminates. 

Proof Let N be a ^-bounded TAPN. We must argue that the state-space of the symbolic semantics is 
finite. Since N is a ^-bounded TAPN, it follows that there are only finitely many placement functions. 



Further, from Theorem 4.1 we know that there are only finitely many extrapolated DBMs for a given 
placement function. Thus, we may conclude that there are only finitely many symbolic markings in the 
symbolic semantics using the extrapolation operator. Observe that Algorithm [2] will add each symbolic 
marking to the WAITING list at most once. Thus, it follows that the algorithm terminates. | 

Lemma 6.4 If Algorithm^returns "YES", then (p/ ,vo) |= EFi/a 

Proof Assume that Algorithm [2] returns "YES". We must show that (pl ,vo) — ►* (pl,v) such that 

def 

(pl,v) |= y. We define a ext (pl, [D]) = [ext p i (D)] for any placement function pi and canonical DBM D 

def 

(for any set of valuations that cannot be represented by a DBM we assume a ext (pl,W) = W). 
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Algorithm 1: Successor generation algorithm 



1 Name: succ(iV, (j>l,D)); 

Input: A ^-bounded TAPN N and a symbolic marking (pl,D). 
Output: The set of successor markings for (pl,D). 

2 begin 

successors := 0; 
forall the t G T do 

Let A := {i G {1,2,..., A:} \ pl(i) G °t}; 
forall the sets INC A where °t = {pl{i) \ i G IN} and 
Vie{l,2,...,k}\IN.(pl(i),t)eIA^Type(pl(i),t)^Inhib do 
Let/? := {i G IN \ Type(pl{i),t) / Transport}; 
pi' := move(p/, IN, t); 

D' := {Dr\C) ieIN D iec ( pl ( i) j ) ) R ° ^r\ie{i,...,k} D iei{pl'(i))^ 
if D' is consistent then 

successors := successors U { (pt \ext p{ {{D'Y n C\ie{i,2,...,k} D iei(pl'(i))) ) }; 
return successors; 



Algorithm 2: Reachability algorithm 



1 Name: Reach(N, (p/ ,vo),EFi//); 

Input: A marked ^-bounded TAPN (N, (pl ,vo)), a formula EFy and a set P[ nc C P not 

containing any monotonicity-breaking place in y. 
Output: YES if {pl Q ,vo) |= EFi/a, NO otherwise. 

2 begin 
PASSED := 0; 

Create DBM D such that [D ] = {v }; 

if (pl ,ext p i n r\ie{i,2,...,k} D iei( P i (i))) )HVthen return YES; 

wa/tovg := {(p/o,^ (^nn i6{1A ..., i} D iBW(i)) ) c )}; 

while WAITING / do 

Remove some (>/,D) from WAITING; 
PASSED : = PASSED U{{pl,D)}; 
forall the G racc(A^, (?/,£>)) do 

if -<3(pl",D") G PASSED U WAITING, (pi', [D'}) C (p/", [£>"]) then 

PASSED := PASSED \ {{pi", D") G PASSED | (p/", [£>"]) C (p/', [£>'])}; 
WAITING := WAlTlNG\{{pl" ,D") G WAITING \ (pi", [D") ) C (p/', [£>'])}; 
if (/?/',£>') |= ^ then return YES; 
WAITING := WAITING U {{pi' ,D')}; 

return NO; 
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Delay 


TAPAAL 


TAPAAL incl. 


Broadcast 


Deg.2 Broadcast 


28 


10.8 


10.4 


11.6 


11.6 


24 


12.1 


12.0 


102.3 


48.8 


20 


17.0 


16.4 


456.2 


88.0 


16 


92.6 


90.7 


207.4 


137.7 



Table 1: PMS case study scaled by the sampling delay (time in seconds) 



Since the algorithm returned "YES", it must have found some symbolic marking (pl,D) such that 
(pl,D) |= y. Observe that Algorithm [2] (and Algorithm [TJ will alternate between using the iden- 
tity abstraction for discrete transition firings and a ext for time delays. Thus, from the way the al- 
gorithm searches through the state-space, we may conclude that there must exist symbolic markings 
(jjl l ,D l ),(pl 2 ,D 2 ),...,(pl,D) such that 

(pl , [D ]) ^ (ph,Pl\) ^ ■ ■ • ^a ld ,a exl iph [D]) 



where [Do] = {vo}- By Theorem |4.2| and Theorem |3.1| we have that ^ a „, is sound. Thus, there exists 
a concrete marking (pl,v) such that (pl Q ,vo) — >* (pl,v) and v G [D]. Since atomic propositions depend 
only on the discrete part of a marking (placement function), it follows that (pl,v) |= y. | 

Lemma 6.5 If(pl ,vo) \= EFythen Algorithm^returns "YES". 

Proof Assume that (vIq : vq) |= EFy. This means that (p/ > v o) — >* (pi v ) an d (pl,v) |= y. We must 

def 

show that Algorithm 2 returns "YES". We define a ext (pl, [D]) = [ext p i (D)] as before. By Theorem 



4.2 



and Theorem |3.1| we get that ^a ext is complete. Thus, there exists a symbolic marking (pi, [D]) |= y 

such that (p/ 0) [D ]) -^> aaa o (^> a , d o ^cw,)* (pi, [D]) where [D ] = {v } and v G [D]. 

We will now argue that Algorithm |2] will find a symbolic marking (pi' ,D') such that (pi, [D]) C 
(pi' , [D']). It is easy to see that Algorithm|2]together with Algorithm[T]implements a symbolic exploration 

£ T £ 

of the form ^ a „, ° (~^a id ° ^a ex ,)*- However, notice that the algorithm discards some of the discovered 
symbolic markings (lines[TT]to 13 in Algorithm|2]). If the algorithm finds a symbolic marking (pi' ,D') for 
which (pi, [D'\) C (pi", [D"}) for some (pi" ,D") in the PASSED or WAITING list, it will discard (pi ,D') 



(line 11 ). Similarly, if (pi", [D"\) □ (pi, [D'\) for some (pi" ,D") in the PASSED or WAITING list, it will 



remove all markings (pi", [D"}) C (pi, [D']) from both the PASSED and WAITING list (lines [12] to \13}. 
However, by Theorem |5.1| it is safe to skip these symbolic markings since the future behaviour of the 
smaller symbolic markings is included in the larger symbolic marking. Thus, it follows that Algorithm[2] 



will find a symbolic marking (pi ,D') such that (pi, [D]) C (pi, [D']). By Theorem 6.1 we have that if 
the smaller marking satisfies \j/ then the larger marking (pi , [D']) also satisfies y. Thus, Algorithm [2] 
returns "YES". | 

The correctness of the reachability algorithm is hence established. 



7 Experiments 

We implemented the reachability algorithm in C++ and fully integrated it into the tool TAPAAL (9J 
(www.tapaal.net), an open-source and platform-independent editor, simulator and verifier of extended 
timed-arc Petri nets. In order to document the performance of our proposed algorithm, we present two 
larger case studies of Patient Monitoring System (PMS) and a communication protocol from the WS- 
Business Activity standard [19]. Both models can be downloaded from the tool's homepage. 
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Messages 


TAPAAL 


TAPAAL incl. 


Broadcast 


Deg.2 Broadcast 


2 


2.5 


0.6 


2.9 


2.3 


3 


11.6 


2.1 


12.0 


7.8 


4 


46.3 


8.0 


46.2 


24.9 


5 


164.1 


29.1 


165.0 


73.5 


6 


>400.0 


109.6 


>400.0 


197.7 


7 


>400.0 


330.4 


>400.0 


>400.0 



Table 2: BAwPC scaled by number of retransmission messages (time in seconds) 



The patient monitoring system (PMS) is a case study taken from [8]. The system monitors the pulse 
rate and the level of oxygen saturation via sensors applied on the skin of a patient. It consists of three 
components: sampling subsystem, signal analyzer and alarm. The purpose of the PMS model is to verify 
that abnormal situations dangerous for the patient's health are detected within given deadlines. We have 
verified the model for deadline violation both in the sampling component and the signal analyzer. The 
sampling delay has been varied from 28 down to 16 seconds. This increased the complexity of the 
verification, as the queries were still satisfied and the whole state-space had to be searched. 

In the second case study we verify the correctness of one of the web services coordination protocols 
called Business Activity with Participant Completion (BAwPC) If1"9~l. Our model is based on the work 
presented in ifTTl where an enhanced protocol that avoids reaching any invalid states is given. We mod- 
elled the protocol in TAPAAL and considered asynchronous communication where messages can be lost; 
the model is scaled by the number of extra messages that can be used for retransmissions. The protocol 
is correct and hence the whole state-space is searched. 

We compare the performance of our implementation with the UPPAAL engine where the timed 
automata models were obtained by automatic translations (called broadcast and degree 2 broadcast; 
see lfT5l [T6l for the details) from the TAPN models. We remark that the verification times of the trans- 
lated TAPN models are in general comparable with native UPPAAL models and in some examples the 
translated models verify even faster than the native ones ITTBI . A direct comparison with other Petri net 
tools extended with time like Romeo lfl2l and TINA is not possible due to the radically different 
semantics of the Petri net models used in these tools. 

All experiments were run on Macbook Pro with 2.7 GHz Intel Core i7 with 8 GB RAM using BFS 
search strategy and the results are presented in Tables [T] and [2j The column TAPAAL refers to our 
algorithm where the set of inclusion places has been set to empty and TAPAAL incl. is our algorithm 
with the largest possible inclusion set. The user has the possibility to choose between these algorithms 
(or even manually select the concrete inclusion places) because for example in the case of 1-safe Petri 
nets where the inclusion is only rarely applied, the algorithm with the maximum inclusion can be slower 
due to the implementation overhead connected with inclusion checking of markings on the passed and 
waiting list. Indeed, in situations like in Table[T]the full inclusion checking is not that beneficial opposite 
to nets like in Table [2] where we have many tokens (messages) in the same place. 

8 Conclusion 

We presented a reachability algorithm for extended timed-arc Petri nets and implemented it within the 
tool TAPAAL. The algorithm includes efficient extrapolation and symmetry reduction techniques that 
show a very encouraging performance even on larger case-studies. We would like to emphasize the fact 
that all features that are implemented in the tool are formally defined and proved correct. We believe that 
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our tool, available at www.tapaal.net, is one of a rather few reasonably-sized model checkers with a com- 
plete correctness proof taking into account all implemented optimizations and reduction techniques. In 
the future work we shall look at extending the technique to liveness properties and at further performance 
improvements by using for example the LU-extrapolation H . 
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